Kaspersky Lab: Flame cyber-espionage campaign dates back to 2006

Summary:Kaspersky Lab and its partners have found traces of at least three Flame-related malicious programs, one of which is operating in the wild.

Kaspersky Lab has published an update in its investigation of the Flame cyber-espionage campaign, which the security experts discovered in May.

Conducted in partnership with IMPACT, CERT-Bund/BSI and Symantec, findings pointed towards traces of three previously undiscovered malicious programs.

Specifically, Symantec has highlighted forensic analysis of two of the command-and-control servers behind the W32.Flamer attacks that targeted the Middle East earlier this year.

After analyzing the C&C servers, here are the main findings:

  • The servers were set up on March 25, 2012, and May 18, 2012, respectively.
  • The servers controlled at least a few hundred compromised computers over the next few weeks of their existence.
  • The server set up in March collected almost 6 GB of data from compromised computers in a little over a week, while the May server only received 75MB of data as it was used to distribute one command module to the compromised computers.

As for the three Flame-related programs, at least one of them is said to be currently operating in the wild, but there isn't any evidence that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

Further details about how the command-and-control technique took place with these servers are explained on Symantec's blog. Essentially, the attackers used a web application that enabled them to upload packages of code, deliver them to compromised computers, and then download packages containing stolen client data.

But going back further, researchers believes that this malware has allegedly been under development by a group of at least four developers since at least December 2006.

Additionally, researchers believe these servers have probably been used for more attacks than just the ones in this report, and the hackers used multiple encryption techniques while trying to securely wipe data from the servers on a periodic basis.

Thus, researchers argue that means the group behind the W32.Flamer attacks is quite sophisticated. Therefore, the malware and C&C servers must be "tied to well funded group" that has a lot of resources at its disposal.

Topics: Security


Rachel King is a staff writer for CBS Interactive based in San Francisco, covering business and enterprise technology for ZDNet, CNET and SmartPlanet. She has previously worked for The Business Insider, FastCompany.com, CNN's San Francisco bureau and the U.S. Department of State. Rachel has also written for MainStreet.com, Irish Americ... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.